Overview

By observing the way browser renders links, a site can query the browser’s history database and determine whether the user has visited URLs at other sites. The CSP HistoryModule is allows web sites to block this privacy threat.

Threat Model

The HistoryModule is concerned with defending against an attacker with the following abilities:

• The attacker can cause the user to visit the attacker's web page.
• The attacker owns and operates a malicious web site (e.g., attacker.com).

We further assume the web developer wishes to prevent the attacker from achieving the following goals:

• The attacker must not be able to determine whether a particular URL on the CSP web site has been previously visited.

We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.

Syntax

The HistoryModule introduces the following directives:

directive               = safe-history

Semantics

A hyperlink to a CSP site that has specified the safe-history directive should not have the :visited CSS pseudoclass unless the hyperlink is on the CSP site itself.